Executive Summary
A high-severity security flaw has been disclosed in Axios, one of the most widely used HTTP client libraries in the JavaScript ecosystem. Tracked as CVE-2026-44488 with a CVSS score of 7.5 (High), the vulnerability affects Axios versions 1.7.0 through 1.15.x when the fetch adapter is in use.
The flaw causes Axios to silently ignore configured maxContentLength and maxBodyLength limits when sending requests with the fetch adapter, allowing applications that rely on these limits for protection against unbounded payloads to receive or send responses of arbitrary size.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-44488 |
| CVSS Score | 7.5 (High) |
| CWE | CWE-770: Allocation of Resources Without Limits or Throttling |
| Attack Vector | Network |
| Attack Complexity | Low |
| Authentication | None required (server-side application using Axios as HTTP client) |
| Impact | Denial of Service / Memory Exhaustion |
| Affected Versions | Axios 1.7.0 – 1.15.x |
| Fixed Version | 1.16.0+ |
Technical Details
Background: Axios Adapters
Axios supports multiple underlying transport adapters. Historically, the default adapter in Node.js was the http/https adapter (using Node's built-in modules), while browsers used the XMLHttpRequest adapter. Axios 1.7.0 introduced native support for the Fetch API as an adapter — used when adapter: 'fetch' is explicitly configured, or when Axios resolves to fetch in environments where it is available (e.g., modern Node.js 18+, edge runtimes, Deno, Bun).
The Bug
When Axios processes an HTTP request via the fetch adapter, the following configuration properties are silently ignored:
const response = await axios.get('https://api.example.com/large-file', {
adapter: 'fetch', // Fetch adapter selected
maxContentLength: 1000, // ← IGNORED with fetch adapter
maxBodyLength: 1000, // ← IGNORED with fetch adapter
});
// Response body can be any size — no enforcement occursThe xhr and http adapters correctly implement these limits and throw ERR_CANCELED errors when a response or request body exceeds the configured maximum. The fetch adapter bypasses this enforcement entirely.
Why This Matters
Applications use maxContentLength and maxBodyLength to:
- Protect against memory exhaustion — preventing a malicious or misbehaving server from sending a multi-gigabyte response that fills available memory
- Prevent Denial of Service — server applications using Axios as an HTTP client can be overwhelmed by unexpectedly large response payloads
- Enforce business logic constraints — file upload validation, content size policies, and SLA-related limits
When these limits are ignored, an application that believes it is protected may consume unbounded memory processing a large response, leading to crashes, OOM kills, or cascading failures in dependent services.
Affected Configurations
The vulnerability affects applications that:
- Explicitly set
adapter: 'fetch'in their Axios configuration - Run in environments where Axios auto-selects the fetch adapter (Node.js 18+ with global
fetch, edge runtimes, Cloudflare Workers, Deno, Bun) - Depend on
maxContentLengthormaxBodyLengthas a security or resource control
Applications using the default xhr adapter (traditional browser XMLHttpRequest) or the http adapter (Node.js) are not affected.
Remediation
Primary Fix: Upgrade Axios
Upgrade to Axios 1.16.0 or later, which correctly enforces size limits across all adapters including fetch.
npm update axios
# or
npm install axios@latestVerify the installed version:
npm list axiosVerify Adapter Selection
Review your Axios configuration and runtime environment to determine which adapter is active:
import axios from 'axios';
// Check which adapter will be used
const instance = axios.create({});
console.log(instance.defaults.adapter); // 'http', 'xhr', or 'fetch'Immediate Workarounds
If upgrading immediately is not possible, implement size enforcement at the application layer:
// Option 1: Force the http adapter in Node.js
const instance = axios.create({ adapter: 'http' });
// Option 2: Implement manual size checking in an interceptor
instance.interceptors.response.use((response) => {
const contentLength = response.headers['content-length'];
const MAX = 1_000_000; // 1MB
if (contentLength && parseInt(contentLength) > MAX) {
throw new Error('Response too large');
}
return response;
});Ecosystem Impact
Axios is one of the most downloaded npm packages in existence, with hundreds of millions of weekly downloads. The introduction of the fetch adapter in v1.7.0 and its gradual adoption in modern runtimes means this vulnerability has a wide blast radius — particularly in:
- Edge functions (Cloudflare Workers, Vercel Edge, Fastly Compute) where fetch is the only available adapter
- Bun and Deno applications that use Axios for HTTP client functionality
- Node.js 18+ server applications where Axios may auto-select fetch
Organizations performing dependency audits should flag any Axios version between 1.7.0 and 1.15.x that is used with the fetch adapter or in edge/modern runtime environments.